Detections
Analytics

Alpine: multiple evince packages: security update to 48.4-r0

high Tenable Cloud Security Plugin ID 442346

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-
 click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to
 achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF
 document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF
 shared library, making the attack a single-file, single-click, configuration-independent RCE on stock
 atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from
 attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then
 handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any
 embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init,
 running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the
 issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-
 document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original
 patch did not touch. (CVE-2026-46529)

Solution

Update the evince library and its related packages to version 48.4-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-46529

Plugin Details

Severity: High

ID: 442346

Version: Revision 1.6

Type: Local

Published: 5/26/2026

Updated: 6/24/2026

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2026-46529

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.4

Threat Score: 7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/19/2026

Reference Information

CVE: CVE-2026-46529